Create IAM Administrative Groups

As a best
practice, don't use your AWS account root user to interact with AWS, including AWS CloudHSM.
Instead, use AWS Identity and Access Management (IAM) to create an IAM user, IAM
role, or federated user.
Follow the steps in the Create an IAM User and Administrator Group
section to create an administrator group and attach the
AdministratorAccess policy to it. Then create a new administrator
user and add the user to the group. Add additional users to the group as needed.
Each user
you add inherits the AdministratorAccess policy from the group.

Another best practice is to create an AWS CloudHSM administrator group that has only
the
permissions required to run AWS CloudHSM. Add individual users to this group as
needed. Each user
inherits the limited permissions that are attached to the group rather than full
AWS
access. The Customer Managed Policies for AWS CloudHSM section that follows contains the policy that
you should attach to your AWS CloudHSM administrator group.

AWS CloudHSM defines an service–linked role for your AWS account. The service–linked role
currently defines permissions that allow your account to log AWS CloudHSM events.
The role can be
created automatically by AWS CloudHSM or manually by you. You cannot edit the role,
but you can
delete it. For more information, see Service-Linked Roles for AWS CloudHSM.

Create an IAM User and Administrator Group

Start by creating an IAM user along with an administrator group for that
user.

To create an administrator user for yourself and add the user to an administrators
group (console)

We strongly recommend that you adhere to the best practice of using the
Administrator IAM user below and securely lock away
the root user credentials. Sign in as the root user only to perform a few
account and service
management tasks.

In the navigation pane, choose Users and then choose
Add user.

For User name, enter
Administrator.

Select the check box next to AWS Management Console access. Then select
Custom password, and then enter your new password in the text box.

(Optional) By default, AWS requires the new user to create a new password when first
signing in. You
can clear the check box next to User must create a new password at
next sign-in to allow the new user to reset their password after they sign
in.

Back in the list of groups, select the check box for your new group. Choose
Refresh if necessary to see the group in the list.

Choose Next: Tags.

(Optional) Add metadata to the user by attaching tags as key-value pairs. For more
information about using tags in IAM, see Tagging IAM Entities
in the IAM User Guide.

Choose Next: Review to see the list of group memberships to be
added to the new user. When you are ready to proceed, choose Create
user.

You can use this same process to create more groups and users and to give your users
access to your AWS account resources. To learn about using policies that restrict
user
permissions to specific AWS resources, see Access Management and
Example Policies.